iptables +block country
harry.ubuntu at harry.lu
Mon Aug 16 08:57:52 UTC 2010
On Mon, Aug 16, 2010 at 09:17:56AM +0200, Markus Schönhaber wrote:
> 16.08.2010 08:13, Harry Strongburg:
> > 1) It makes known to them that you "exist", if they didn't already know.
> You can't hide your "existence" by not answering to connection requests.
> If you truly didn't "exist" the last hop *before* your not existing
> machine would send a host unreachable ICMP message. The lack of this
> message shows that something's there.
This is true, but they could also assume that the box is offline and
behind a NAT if their connects time-out. Dropping ICMP would probably
help. In the case of SSH scan bots, they usually just scan most
> > 2) Wastes bandwidth sending a rejection to them.
> You save the bandwidth a TCP reset / ICMP port unreachable package would
> use. OTOH, the scan-bot might try multiple time because he thinks the
> probe got lost somehow. So, depending on the behaviour of the bot,
> dropping probes might even use more bandwidth.
Good point. My point was that you are not sending out more bandwidth
than you need to. It also comes into the fact that most residential
connections have a much higher download rate than upload, which could
also influence your decision.
But yeah, fail2ban and using a high port for anything with
authentication has lowered attacking bots to less than one per year. The
one or two it catches per year appeared to have been manually started,
not a normal port-22 scan. The one to two that comes in, fail2ban grabs
and bans them for however long I want! >:) As long as your password is
More information about the ubuntu-users